10-05-2007 12:26 AM - edited 03-11-2019 04:21 AM
The ASA and PIX ver 7 up is supposed to work in a no nat-control mode (by default). Several discussion in the forum focus on the NAT and STATIC commands. What I really would like is an explanation on how to configure tha ASA to route traffic between interfaces without the use of STATIC commands. I have tried to do this with no luck.
If there is any one ho has knowledge an perhaps a working example of configuration for the ASA to do this I would be evry happy.
10-05-2007 03:27 AM
Jim, this document explains exactly what you are looking for NAT comminication between interfaces with NAT Exemption with examples, please go over this doc.
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1002608
Rgds
Jorge
10-07-2007 06:45 PM
If you issue the command "no nat-control" (which is actually the default on a new ASA, but not on an upgraded PIX), then the firewall will route outbound packets (from inside->outside) without any additional commands, just like a router. Inbound packets (from outside->inside) only requires an access-list, no static.
If you have "no nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will flow without being NAT'd.
If you have "nat-control" AND static/nat statements then the static/nat statements will apply to matching traffic, and all other traffic will BE DROPPED.
10-07-2007 11:09 PM
Hi, tanks for your aswer gfullage.
I have issued the command show run nat-control, and gets the answer no nat-control. So I guess this is correct. With inside and outside I assume you mean from a interface with higer security-level to another interface with a lower security-level?
Here is a part of the configuration. What I am trying to do is getting traffic to flow from interface ADM to interface RES without any static commands. behind the ADM interface there is a number of subnets of net 10.0.0.0.
!
interface GigabitEthernet0/0
nameif ADM
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface GigabitEthernet0/1
nameif RES
security-level 50
ip address 10.127.0.1 255.255.255.0
!
interface Management0/0
description LAN/STATE Failover Interface
speed 100
duplex full
!
interface GigabitEthernet1/0
media-type sfp
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0.1
vlan 2
nameif PUB
security-level 0
ip address 197.46.138.4 255.255.255.0
!
interface GigabitEthernet1/0.2
description DMZ1
vlan 3
nameif DMZ1
security-level 10
ip address 10.3.25.1 255.255.255.0
!
access-list PUB_access_in extended permit ip any any
access-list ADM_access_in extended permit ip any any
access-list DMZ1_access_in extended permit ip any any
access-list RES_access_in extended permit ip any any
global (PUB) 10 interface
global (DMZ2) 10 interface
nat (ADM) 10 10.0.0.0 255.0.0.0
static (ADM,DMZ1) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (DMZ1,ADM) 10.3.25.0 10.3.25.0 netmask 255.255.255.0
static (DMZ1,PUB) 194.6.236.17 10.3.25.25 netmask 255.255.255.255
access-group ADM_access_in in interface ADM
access-group RES_access_in in interface RES
access-group PUB_access_in in interface PUB
access-group DMZ1_access_in in interface DMZ1
!
As soon as I add the command:
static (ADM,RES) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
It works and I can get traffic from ADM to RES. If i remove the line it stops.
Is it the other static commands that mess things up?
10-08-2007 06:42 PM
Hmmm, it's probably this:
nat (ADM) 10 10.0.0.0 255.0.0.0
This does match the incoming traffic, but then there's no matching global for the RES interface, so it's probably being dropped. what does the syslog show when you try and get traffic through, you'll probably see a bunch of 305006 syslog messages (if my assumption is correct).
I would have thought with no nat-control it wouldn't have worried about the nat statement, but maybe because it does match then it assumes you do want to nat it to something. AS I said, even with "no nat-control", we will still nat packets if they match on a static/nat, and this seems to be what's happening here. When you then add the static command that takes precedence over the nat command and is used correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide